EBA/GL/2019/04 – EBA Guidelines on ICT and security risk management

The guidelines provide a comprehensive framework for financial institutions to manage information and communication technology (ICT) and security risks. They cover various aspects of technology risk management, including the management of third-party services, system availability, system recoverability, cyber security operations, and IT project management.

“Financial institutions should test their BCPs periodically. In particular, they should ensure that the BCPs of their critical business functions, supporting processes, information assets and their interdependencies (including those provided by third parties, where applicable) are tested at least annually, in accordance with paragraph 89.”